HIPAA Compliance and The Home Office

by Melanie
(Oregon)

I am going to start a home based billing service and want to make sure everything is Hipaa Compliant. I know it has to be a separate office that only I have access and all the other precautions I would use in the Clinic setting. I would like to find more information to make sure I cover everything in my business associate agreement. Where can I get all the info I need to make sure my email is compliant, my PC is compliant, my web connection is compliant? HIPAA compliant officer information if it is just me. I can't seem to find the resources I need to get all my ducks in a row.


Response:

Honestly everyone seems to have a different interpretation of the HIPAA privacy and security requirements and what constitutes reasonable attempts to be compliant. I really haven’t seen a good definitive guide for medical office personnel regarding HIPAA practices - there is one on Amazon but I haven’t heard any review of it yet. I think some of the HIPAA rules - especially the security rule contains so much technical stuff that the average providers and their business associates are at a loss to understand it.

I understand the intent of HIPAA is to protect patient privacy. So our business practices should be geared towards that. A lot of HIPAA is also good business practices - such as the requirement to backup data systems off site. And having processes in place for the protection of patient information is also good defence for civil litigation.

I think as long as we are making a reasonable and good faith effort - and documenting those efforts - than the home based billing service is fine. The HIPAA act uses the word “reasonable” several times. I have never heard of any type of “HIPAA Police” from the Department of Health & Human Services that go around inspecting billing services and providers offices for compliance. Its only if someone files a complaint that any investigation would be conducted.

The HIPAA Survival Guide is a good resource for explaining a lot of the requirements of HIPAA and boiling them down so the rest of us can understand them.

Walk around your office and look for any potential privacy and security risks or violations. Look for patient information that is in full view of any visitors. Is there anything that can be seen through a window?

It’s a good idea to have written policies of your services privacy practices like removing files from the office, emailing or faxing patient information, how to handle complaints from patients, etc. Unless you have employees of course you would be the Privacy Officer. Some things to consider when developing policies:

  • Location of the fax machine. Is it located where only those working in your office can access it? What happens to faxes when unattended (is the office locked?).

  • When sending patient information via email, consider using encryption in case the email goes to the wrong recipient they cannot view it.

  • Do you have a cover sheet with a confidentiality statement which explains the fax contains personal medical information and if it is received by anyone other than the intended recipient it should be destroyed and the sender notified.

  • If you have anyone else who accesses your office when you aren’t there can they access patient information? If so they should sign a confidentiality statement. This could be a landlord, IT/Computer technician, cleaning crew, etc. When you have them sign a confidentiality agreement you are making a reasonable attempt to protect patient information. If these people violate the agreement, you are not held responsible.

  • Phone conversations where patient information is discussed should not be in a setting that can be overheard. You could be on the phone with the insurance company discussing claim information - treatments, diagnosis, medication, address, etc.

  • When files containing patient information are removed from the office there should be a log showing what information was removed, who removed it, date removed and returned, etc. These records should be carried in a case marked “Confidential Medical Records” or similar markings. Again another reasonable measure taken to protect this information if something were to happen in transit.

  • Computer monitors should be located so if you have visitors to your office, they cannot view information displayed. There are also screen covers that limit the field of view for this type of situation.

  • If someone requests patient information, the patient's written consent must be provided prior to release.

  • Computers and servers running the practice management software should have STRONG passwords both to log onto the machine and to log into the application. The software should also be configured to log who accessed the application, what they did, and when - most of them already have this capability.


I hope this helps some. The best advice I can offer is to do everything you can to reasonably protect patient information that is in your care.

Click here to post comments

Join in and write your own page! It's easy to do. How? Simply click here to return to Your Questions.

Recent Articles

  1. Is it possible to work in Medical Billing or Coding at night instead of during the day?

    Oct 23, 17 09:16 PM

    How common is it that a company would allow you to work from home as well as working at night so you can be with your children during the day? I'm an

    Read More

  2. Should I get my medical billing certificate from AAPC or somewhere else before I start my own business?

    Oct 23, 17 09:15 PM

    Hi! I am contemplating starting my own medical billing business and I was wondering if I should get my medical billing certificate from AAPC or some other

    Read More

  3. What is the CPT code for 'Male Hormone Panel'

    Oct 23, 17 08:57 PM

    What is the CPT code for 'Male Hormone Panel' ...testosterone/estrogen/PSA/IGF- 1 /DHEA -Sulfate/ Progesterone Response: We'll post in hopes our Visitors

    Read More

Disclaimer and Privacy

All-Things-Medical-Billing.com provides this website as a service. Please read our full Disclaimer and Privacy Policy here.


Copyright 2017 All-Things-Medical-Billing.com